What we need to know about data privacy

MANILA, Philippines - Global spending on cybersecurity is on the rise. Research firm Gartner projects spending to grow at a compounded annual growth rate (CAGR) of 17.8 percent year-on-year and would reach about $170 billion by 2020.

The reason is clear. Distributed denial of service (DdOS) attacks, account hijacking, web defacement, DNS hijacking and other forms of cyber attacks are increasing and becoming more vicious.

Two of the biggest cyber attacks in the world this year involved the Philippines – the defacement of the website of the Commission on Elections (Comelec) last March, which leaked sensitive information of 55 million voters; and the attack on the Bangladesh Central Bank that allowed hackers to illegally transfer $951 million to fictitious bank accounts around the world, including the Philippines.

 Nino Valmonte, marketing director of IP Converge, said in a forum that the sustained spending on cyber security (or the protection of information systems from theft or damage) is due to these high-profile breaches. Here in the Philippines, however, he said there is a minimal increase in cybersecurity spending because it is only now that companies are starting to realize its importance.

But the fact that targets of cyber attacks have widened to cover not just government agencies and banking and financial institutions, but also other vital industries like e-commerce, educational institutions, healthcare, and telecommunications should raise the red flag.

Even individuals are not immune to attack. Anything that is connected to the Internet – PCs, laptops, smartphones, routers, firewalls, the Web, and email – could be used as bot jams to launch a DDoS attack. Moreover, according to Internet LIVESTATS, there are now more than a billion websites globally, which means more potential victims of cyber attacks.

“The Internet of Things (IoT) will introduce more vulnerable systems than ever. It’s no longer relegated to PCs and laptops that can be turned into a bot,” he said.

Citing research from Indusface and Incapsula, Valmonte added that the cost of launching a DDoS attack has also gone down to $5 per hour from $38 a year ago, and a hacker will only need to spend about $200 to $250 to overwhelm an average website.

“The bottom line here is that no one is safe. If you are on the Internet, you need to secure your data,” he said.

Why data matters

In a highly connected world, not everybody understands the importance of keeping personal data private and the implication of its loss. In particular, Filipinos generally do not have qualms about sharing personal information even with strangers. This, however, should change.

Take the case of a lost credit card, debit card, or ATM card. To replace them, you need to call the bank and before they can process your request, they will verify your identity by asking for your birthday, your present address, your mother’s maiden name, your children’s or spouse’s name and other sensitive information.

It seems like a harmless exercise but if someone gets hold of this personal information, they can easily call your bank to replace your credit, debit and ATM cards with new passwords and have it delivered to a new address. They could take a step further to replace your identification cards as well. This is referred to as identity theft or the use of someone else’s identity, usually to gain financial advantage.

Al Alegre, executive director of Foundation for Media Alternatives (FMA), a group working on Internet rights, digital rights, Internet governance and ICT policies for public interest, said there is a need to educate the public on the need for data privacy as it is a crucial step in protecting the public from many forms of cybercrime or IT security risks.

“Why is privacy being raised on the level of public policy? Its rising significance is real because of the environment we live in,” he said. “Security, terrorism, crime (are rampant). As citizens we need protection. There’s also the economic side – companies are collecting more and more data about ourselves. Those data may be sold, lost to thieves, or mishandled. In a digital society, surveillance, bullying, harassment can be done virtually.”

He said the International Telecommunications Union (ITU) defines privacy as the right of individuals to control or influence what information related to them may be disclosed.  However, it is no longer just information or communication that need to be kept private and confidential. There is also a need to protect our biometric data (photos, fingerprints, iris scans, body scans, DNA information, medical or health records; our territory or location (where we live and where we are in real time); and even our political decisions.

Mitigating risks

Joey Regala, president of the Information Security Officers Group (ISOG) and chief information security officer of UCPB, said that following the leak of sensitive information of Filipino voters last March, the Bangko Sentral ng Pilipinas (BSP) released new guidelines to establishing customer identity among banks.

“We know for sure that your date of birth, your gender, your full name and your mother’s maiden name are there (included in the data leak). So the security questions have been modified. Two-factor or multi-factor authentication is also being used,” he said.

At ISOG, he added that CISOs of banks are working to create awareness in the banking community (of the security risks) and putting in place security measures to protect customer data.

“We implement security tools such as data leak protection and data rights management (when you accidentally send data to the wrong party, it cannot be opened because it is encrypted). There is also the database monitoring system. Simply put, if there are (instances of) authorized extraction of files (in a database), they will be blocked,” Regala added.

Relative to that, he said there are other standards such as the Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

“If a credit card is swiped to a merchant’s POS, the POS should be encrypted so transmission between the POS and the host should not be sniffed,” he said.

When it comes to protection of information, Valmonte shared that there is actually a global standard that organizations may use: the ISO 27001:2013 Information Security Management Systems (ISMS).

“It is a set of policies concerned with information security management or IT-related risks. The governing principle behind this is that an organization should design, implement and maintain a coherent set of policies, processes, and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk,” he said.

This set of policies and procedures underscores three key things: confidentiality or protecting information from unauthorized parties; integrity or protecting information from unauthorized users and making sure that the data or information is up-to-date and unchanged; and availability or making it available to authorized owners only.

The role of government

 In June this year, BusinessWorld reported that a senior research fellow at the Philippine Institute for Development Studies filed a formal complaint with the National Privacy Commission against the Comelec for its alleged failure to comply with the Data Privacy Act in protecting sensitive personal information of Filipino voters.

Jose Ramon G. Albert was quoted in the report as saying, “He was pursuing this case as a private citizen worried about the implications of the breach to his privacy and personal security.”

 While the Data Privacy Act (DPA) of 2012 has been enacted into law four years ago, it is only this year that the government has appointed a commissioner of the National Privacy Commission, which is in charge of implementing the law.

Raymond Liboro, formerly assistant secretary at the Department of Science and Technology (DOST), is the country’s first privacy chief. 

“The Data Privacy Act is expected to provide the necessary protection for sensitive information in both public and private IT systems. That means our mandate is to protect the fundamental right to privacy and at the same time ensure the free flow of information,” he said.

 Liboro stressed during the forum that the Comelec, along with other organizations (public and private) that collect and store personal data of citizens or customers, has a responsibility to take care of that information. 

In collecting data, he said there are three basic data principles: transparency (what is the information being collected for), the legitimacy of purpose (why do you need that kind of information), proportionality (the information collected must only be enough for the stated need).

“This is really about risk management. We need to establish safeguards to protect the data,” he said.

In a world that is beginning to be more privacy-conscious, Alegre said there is a need to clarify the key concepts. “Privacy is a right. Confidentiality is a duty of all those who handle private information. Security is merely the processes and mechanisms to protect that data,” he said.

However, as Valmonte concluded: “Security is a commitment, not an appliance or an application.”